The existence of malicious software in a network typically causes performance and/or security issues in the network. Malicious software running in a network often must communicate outside of the network, as for example with a command-and-control (C&C) server. Communications between malicious software and a C&C server may attempt to appear as “normal” encrypted traffic to escape detection by network security elements.
For encrypted Transport Layer security (TLS) traffic or encrypted Secure Sockets Layer (SSL) traffic, an organization or an enterprise that is attempting to detect traffic associated with malicious software may leverage TLS interception proxies or SSL interception proxies in their networks. For an interception proxy to perform intended functions, a client generally accepts a root certificate provided by the proxy. Interception proxies may be identified by malicious software operating on a client and, as a result, the malicious software may take appropriate steps to avoid being detected. For example, malicious software may avoid exchanging C&C traffic or use different formats of C&C traffic in an effort to escape detection.